I can't tell if this is serious or satire.
Relevant XKCD, Standards: https://xkcd.com/927/
Response header size notwithstanding, isn't this really a problem of app servers having really shitty default headers?
You make people turn off safety features manually and the rest of us are fine.
> Allows CORS from any domain with any headers without OPTIONS preflights.
That'd be a great way to make CSRF attacks from any domain a default setting.
And then we will have compatibility tests for browsers that implement how they read SOTA differently. Yuck
So you add this header. And then something new comes up. What then?
If the same header automatically adds that meaning as well, your site can break essentially randomly, unless you keep tabs on the new stuff and adapt the site to handle them - in which case, you don't really need this header, you can just add the new stuff as it comes up.
If the header is fixed in meaning ("best practices as of 03/2017"), then what value was really gained over simply copy-pasting a list of the recommended headers as of that date?
It just seems like it's either mostly useless, or too dangerous to use.